Master Thesis Proposal

Master Thesis Proposal

Master Thesis Proposal

Implementation of Protected Extensible Authentication Protocol (PEAP) - An IEEE 802.1x wireless LAN standard for authentication.

Nirmala Bulusu

1. Committee members and Signatures:

Approved by Date

______

Advisor: Dr. Edward Chow

______

Committee member: Terrance Boult

______

Committee member: Xiaobo zhou

2. Introduction

The main goal of this thesis is to offer a server side implementation of the Protected Extensible Authentication Protocol (PEAP). PEAP is an 802.1x EAP authentication protocol designed typically for access control in wireless LANs. It makes use of two very well known protocols Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) as a way to securely transport authentication data, including passwords, over 802.11 wireless networks.

The key standard for wireless LAN authentication is the IEEE 802.1x standard.

802.1x is a layer 2 port-based access control mechanism used for transmitting data between the endpoint (Supplicant) and the authentication server like Remote Authentication Dial-In User Service (RADIUS). The 802.1x principle of operation is given below [Figure 1 adapted from IEEE Aboba’s 802.1x paper]


Figure 1: Principal of Operation Among the IEEE 802.1x Elements

The 802.1x protocol is only a transport mechanism and the actual authentication takes place in the Extensible Authentication Protocol (EAP) defined by IETF. EAP is an authentication protocol that typically rides on top of another protocol such as 802.1x, RADIUS, PPP etc. It defines a standard message exchange that allows a server to authenticate a client based on an authentication protocol agreed upon by both parties. The EAP architecture depicting the wireless LAN security framework is given below.

Figure 2: Wireless LAN Security Framework

Among the diverse methods used by EAP to perform authentication, EAP-TLS is the most commonly implemented EAP type for WLANs. It makes use of the existing SSL 3.0 protocol and its authentication is based on the PKI support using X.509 certificates. Although EAP-TLS provides protection from most attacks, a number of weaknesses have become apparent since its deployment. These include lack of user identity protection, no standardized key exchange mechanism, no built-in support for fragmentation and re-assembly and lack of support for fast reconnect. Also as the protocol needs client certificate in order to authenticate the client, deploying EAP-TLS is complicated.

Two new quite similar protocols namely EAP-TTLS and “Protected” EAP (PEAP) were developed in response to the PKI barrier in EAP-TLS. Both use the transport layer security [TLS] to authenticate the server and offer tunneling of other authentication methods to authenticate the client.

PEAP was developed by Microsoft, Cisco and RSA security and is currently an Internet draft. PEAP uses Transport Layer Security (TLS) to create an encrypted channel between an authenticating EAP client and an EAP authenticator. It does not specify an authentication method, but provides a secure wrapper for other EAP authentication protocols, such as EAP MS-CHAP. There are two built-in EAP types for use within PEAP, and they are EAP TLS and EAP MS-CHAP. The Protected EAP protocol attempts to fix the problems found in EAP. It provides for mutual authentication, key generation, and client identity protection and supports quick re-authentication.

PEAP performs authentication in two phases. In the first phase the Authentication Server is authenticated to the Supplicant using an X.509 certificate. Using TLS, a secure channel is established through which any other EAP-Type can be used to authenticate the client (Supplicant) to the Authentication Server during the second phase. A certificate is only required at the Authentication Server. EAP-PEAP also supports identity hiding where the Authenticator is only aware of the anonymous username used to establish the TLS channel during the first phase but not the individual user authenticated during the second phase.

Test Bench for setting up PEAP

The development environment components required for implementing and setting up PEAP are:

•Client wireless network adaptor compatible with 802.1x.

•Client access software capable of EAP – Xsupplicant

•Wireless access point (base station) compatible with 802.1x and EAP

•RADIUS (authentication server) compatible with EAP – FreeRadius

•PKI (public key infrastructure) – Beta Version of OpenSSL

The development environment is already set up in our lab as shown in Figure 3.

Figure 3: Test Bench set-up in the Lab

3. Thesis Plan

The goal of this thesis work is to implement a basic server-side working model of the PEAP protocol on a Linux Server based on the IETF internet draft proposal [ draft-josefsson-pppext-eap-tls-eap-06.txt ]

and perform a comparison between the two 802.1x EAP standards – TTLS and PEAP.

3.1 Tasks:

3.1.1Work done till date:

  • Installing and Configuring the Client Side software – Xsupplicant [
  • Installing and configuring Radius Server - FreeRadius [
  • Installing and configuring OpenSSL. [
  • Set-up a test bench to test EAP-TLS with the above configured software.
  • Running Xsupplicant, Cisco AP-1200 and FreeRadius with EAP type set to TLS. Successfully established the Authentication.

3.1.2Work in progress:

  • Study and analyzeboth the Client [Xsupplicant] and Server side [Free Radius] implementations of the IEEE 802.1x EAP protocol.

3.1.3Work to be done:

  • Implement the Server Side Code with PEAP modules to authenticate PEAP Users.
  • Configure Xsupplicant, FreeRadius and the Access Point to support EAP type PEAP.
  • Test the implementation of the PEAP modules.
  • Run and test Xsupplicant, Cisco AP-1200 and FreeRadius set-up configured to EAP type TTLS and EAP type PEAP.
  • Study and analyze the logs showing the protocol handshakes using packages like ethereal and tcpdump.
  • Compare performance of the two protocols TTLS and PEAP.
  • Write Thesis

3.2Deliverables:

  • A thesis report documenting the implementation details of the PEAP module on freeradius and xsupplicant. Should also include the configuration details of the wireless network set-upand lessons learned in this thesis project.
  • The source code of the PEAP module.

4. References:

[1] Protected EAP (IETF draft, work in progress) March 2003:

[2] IEEE 802.1X Port Based Network Access Control, by Paul Congdon:

[3] The Unofficial 802.11 Security Web Page. Security analyses of 802.11

[4] PPP Extensible Authentication Protocol

[5] PPP EAP-TLS Authentication Protocol

[6] PEAP – Product Documentation

[7] Microsoft, Cisco prepare for PEAP show

[8] Fisher, Arthur. 2001.Authentication and Authorization:

[9] OpenSSL: The Open Source toolkit for SSL/TLS (

[10] FreeRadius: Remote Authentication Dial-in User Service

[11] Open 1x: Open Source Implementation of IEEE 802.1x

[12] Gast, Matthew. 2002. 802.11 Wireless Networks: The Definitive Guide

O’Reilly Network.

[13] EAP TTLS (IETF draft, work in progress). 2002.

[14] HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant

[15] Protected EAP by Magnus Nyström

Top View